Creating A Personal Password Policy (P3)

Passwords are a big deal to me. The right break-in to the right account and a person could hi-jack my e-mail, order stuff from my Amazon account, take control of my domain names, and who knows what other unthinkable acts.

I used to think that a good password was a single alpha-numeric password that I could use everywhere. And that's what I did.

Later I wised up to the fact that all it would take is one leak, and now every account I have is compromised.

So then I devised my 1st "Personal Password Policy" (and I didn't even know that term yet). And what is a PPP? Simply put, it's basically putting thought into the passwords you create and use. Not just picking passwords at random, but actually laying out a plan that will keep your data secure.

My original PPP was three passwords divided into tiers of how secure I wanted that account to be. The good part of this idea was that my really important accounts were separated from run of the mill accounts that I was creating on almost a weekly basis from ordering on-line, or participating in on-line forums, etc. The bad was that all of my highly important accounts were using the same password still, meaning that 1 leak and my most valuable accounts could all get infiltrated.

I worked at a company that had a guy steal customer data. It happens. He was stupid and stole credit card information (he also got jail time). He could of just of easily stolen e-mail addresses and passwords and with most certainty could of gain access to at least 80% of the accounts - gaining himself access to much more than a single credit card number.

So I changed my PPP to an unrestricted number of mostly unique passwords. Meaning, I had about 15-20 unique passwords. With highly secure accounts each having their own password, and run-of-the-mill accounts still using a generic shared password (semi funny note: this weak shared password used to be my highly secure single password).

Of course this list of passwords grew to be totally unmanageable by memory, so I created an Excel spreadsheet that I used to manage my passwords, and the matching username, and it had some other info in there too. I named it totally inconspicuous, and then used Window XP's built-in encryption feature to encrypt the file to my user account.

I kept this PPP in effect for several years. And it worked for me, for the most part. Occasionally were times when I found myself away from home and not able to recall my password for an account. And not able to access my Excel file. And very much out of luck. And so I discovered that PPP was not enough. I needed to have a PPPP (Portable Personal Password Policy).

But at the time I had no idea on how to make a portable PPP. I didn't want to just keep a print-out of my Excel sheet in my wallet.

It wasn't until this year when I was researching an Internet Safety presentation that I was giving and I was searching on ideas for what is a good password. I found some great items such as:

This bookmarklet idea was (and still is) awesome. To use it, all you need is a single "master password" that you need to remember. This password is never shared with anyone. It is never transmitted over the internet. It is as secure as you want it to be. The bookmarklet sits in your browser, and when you click on it, it asks for your master password, then it takes the domain name of the web page you are on, and creates a unique hash out of the domain name using your master password as the key. I keep it in my Mozilla FirefoxBookmark Toolbar (this also works for Internet Explorer and Opera).

This is a great tool, and in my mind, a perfect PPP. But what about portability? You can't always have your bookmarklet handy because you aren't always home on your own machine, or on your notebook. You could be at a friend's house. In these cases you can use the web page version of the exact same formula. I have an easy way for myself to locate the generator from any internet enabled location I find myself in.

The web page version also allows you to enter in non-domain name values that you can create hashes for. So if you wanted to create a unique password for your locked Microsoft Money file, you could create a hash of the string "MS Money" using your master password.

To further make this portable... you can put the HTML for the web page version on a USB thumb drive and take this anywhere with you. You no longer need internet access. I personally created my own back-up of the web page and bookmarklet version of this method just in case the web site goes off-line.

There is however one fatal flaw in this person's code. It uses the entire host name, not just the domain name. For example: www.digg.com is different than digg.com and login.paypal.com is different than www.paypal.com. This causes trouble on a handful of sites that pass your around between sub-domains and don't always have the login on the same on the same sub-domain.

Chris Zarate ran into this same problem, so he created a new bookmarklet that only uses the domain name. I plan on switching my passwords over to this new formula as time permits.

In August Leo Laporte and Steve Gibson launched a podcast called Security Now!. It's an excellent podcast revolving entirely around security. And I was very well pleased when they did a two-part special entirely devoted to passwords, and encouraging people to actually think about their passwords, and to each create their own Personal Password Policies (and to think about portability). I highly suggest everyone to listen to these two episodes and hear all they have to say about passwords. They basically cover everything (useful) I have learned about passwords in all my life in less than 45 minutes.

Here are links to get the goods:

Episode #4 (Part 1 of Passwords) MP3 Audio
PDF Transcript
Note: They don't dive into passwords until 8:35 in the audio or the bottom of page 3 in the transcript.

Episode #5 (Part 2 of Passwords) MP3 Audio
PDF Transcript

I hope you have found this entry useful and if you don't already take your passwords seriously that you will start soon. If I have left anything unclear, please send me an e-mail or post a comment, I will follow up.